VPN or DirectAccess? Why not Both!

In my other blog post, I outlined why a DirectAccess solution often can’t completely replace a traditional VPN for secure remote access. As I discussed in that post, DirectAccess is a unique solution designed exclusively for managed Windows clients. It is aimed squarely at large organizations, who need to provide a more secure remote access alternative to client-based VPN, while at the same time reducing management and support costs for their field-based assets.

Since DirectAccess does not provide support for all remote access scenarios (e.g. non-managed Windows clients or non-Microsoft devices as iPads), you may be thinking “why not just use VPN exclusively for my remote access needs?”

DirectAccess has many important benefits over client-based VPN, that can be vital to the objectives of IT organizations across all industry verticals. Few of the benefits are as under.

VPN and/or DirectAccess


DirectAccess is inherently more secure than traditional client-based VPN. This is due to a number of factors. First, a DirectAccess client must be joined to the corporate domain, as its Active Directory computer account is used as a part of the authentication process. In addition, the client must also have a computer certificate issued by the organization’s internal private Public Key Infrastructure (PKI). For additional protection, organizations can choose to also integrate existing smart cards (physical or virtual) or a dynamic one-time password (OTP) solution. All of this provides a high level of assurance that only authorized devices can establish secure remote corporate network connectivity. In contrast, typical VPN solutions require nothing more than VPN client software to establish a remote connection. If an attacker has gained access to valid corporate credentials, they can connect from any device they wish.


DirectAccess is always on, allowing administrators to exercise a greater degree of control and management of their remote devices than client-based VPN. This ensures that remote device configuration is always maintained, and in compliance at all times.

Ease of Use

DirectAccess provides an unrivaled user experience over VPN. DirectAccess is seamless and transparent, and does not require input from the user. The remote access connection is established securely at the machine level, freeing the end user from the cumbersome process of having to establish a VPN connection when they realize they need it, to access on-premises corporate resources. This makes users more productive, while reducing help desk calls at the same time.

Simplified Provisioning and Deprovisioning

Onboarding DirectAccess clients is a simple as adding a computer’s account to a security group in Active Directory. All client configuration settings are applied to the client through Group Policy Objects (GPOs). There is no software to install and maintain on the DirectAccess client.

DirectAccess and client-based VPN aren’t mutually exclusive. They often complement each other well, and coexist peacefully in the network infrastructure. Organizations can safely take advantage of both solutions to provide the best and most secure remote access experience supported by the client platform. Sure, using only client-based VPN would work, but you’d be missing out on a significantly improved solution for your managed Windows clients.

There are many reasons why organizations should consider a DirectAccess solution, even if it does not meet all of their remote access requirements. To learn more about DirectAccess and the security benefits it provides, be sure to read our whitepaper entitled Security Considerations for DirectAccess Deployments.

For more information, drop a note to [email protected] or call us at (510) 6680700.

more blogs